cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Peer certificate rejected by ChainVerifier

Go to solution
Former Member

on ‎07-22-2010 12:44 PM

0 Kudos

I have a connection issue on one of my SOAP Channels.

I am running Version PI 7.0. Service Pack: 07 Release: NW07_07_REL

the error is:


2010-07-22 12:32:10 Information Message successfully put into the queue. 
2010-07-22 12:32:10 Information The message was successfully retrieved from the receive queue. 
2010-07-22 12:32:10 Information The message status was set to DLNG. 
2010-07-22 12:32:10 Information Delivering to channel: JobPositionPublication_SOAP_Receiver 
2010-07-22 12:32:10 Information SOAP: request message entering the adapter with user J2EE_GUEST 
2010-07-22 12:32:10 Error SOAP: call failed: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier 
2010-07-22 12:32:10 Information SOAP: sending a delivery error ack ... 
2010-07-22 12:32:10 Information SOAP: sent a delivery error ack

SOAP: call failed: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

Message processing failed. Cause: com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

we added an SSL certificate via STRUST (and asked for a new certificate). restarted the ICM but the error persists.

i searched the forum and found others had a similar issue, and none of the solutions they used to rectify the issue have so far worked for us.

Has anyone come across this issue and have some suggestions on what/where to fix it?

i have changed settings in the Communication Channel... and the error persists.....

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

udo_martens
Active Contributor
‎07-22-2010 1:25 PM
0 Kudos

Hi Barry,

>we added an SSL certificate via STRUST (and asked for a new certificate). restarted the ICM but the error persists.

The soap adapter belongs to Java stack, you have to store the certificate there. I assume in PI 7.0 via Visual Admin (newer releases: Netweaver Administrator)

Regards,

Udo

Show replies
Show replies
Former Member
‎07-26-2010 12:52 PM
0 Kudos

I loaded the certifcate into the DEFAULT key storage store and we are now connecting.

a whole bunch of different errors, but they relate to the .Net system i am connecting too! 🐵

thank you!

Answers (7)

Answers (7)

former_member816597
Explorer
‎06-12-2015 11:55 AM
0 Kudos

Hi experts,

we are facing same error in PI 7.4.

How to change certificate please guide for process.

Show replies
Show replies
former_member208396
Participant
‎06-12-2015 12:19 PM
0 Kudos

Hi Ram,

You have to make sure that below mentioned points are taken care.

  • The required certificates are installed in correct path of NWA[ for path details get in touch with your basis team]  & STRUST location of server.
  • All the certificate is valid and up to date.
  • Same certificate must be installed on sender and receiver ends also.

If all the above points are taken care then just restart your channel, It should work fine.

Regards,

Vishnu Srivastava

Former Member
‎11-23-2010 10:03 AM
0 Kudos

Well... just when i thought this was all working...

I am now getting the same error again. and this is because i am getting the following error when i go to the website:


There is a problem with this website's security certificate. 
 
   
 The security certificate presented by this website was issued for a different website's address.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.  
  We recommend that you close this webpage and do not continue to this website.

any thoughts on how i can by pass this error?

Show replies
Show replies
Former Member
‎11-29-2010 9:57 AM
0 Kudos

obtained the new certificate myself as the one i was sent was corrupt!

markangelo_dihiansan
Active Contributor
‎07-22-2010 3:49 PM
0 Kudos

Hello,

If there was an intermediate CA, then have you installed it?

Regards,

Show replies
Show replies
Former Member
‎07-22-2010 3:41 PM
0 Kudos

the target system provided the certificate.

we loaded it into the NWA.

the Communication channel is set up to use the certificate

and the whole process fails...

Show replies
Show replies
Former Member
‎07-22-2010 2:50 PM
0 Kudos

thanks for all the response.

the certificate was in the NWA - Keystore.

It has not expired.

it does have the FQDN.

it is driving me bonkers.....

Show replies
Show replies
Former Member
‎07-22-2010 2:54 PM
0 Kudos

Do you mean the SSL certificate from your endpoint or the root certificate from the CA?

former_member4985
Employee
Employee
‎07-22-2010 3:12 PM
0 Kudos

Hi,

If the end point of the SOAP Call(Server) is configured to accept

a client certificate(mandatory), then make sure that it is configured

correctly in the SOAP channel and it is also within validity period.

(This certificate is the one which is sent to Server for Client

authentication)

Regards,

Caio Cagnani

former_member4985
Employee
Employee
‎07-22-2010 1:47 PM
0 Kudos

Hi!

Basically, the main reasons because of which the error mentioned here

comes, are the following:

1. The correct server certificate is not present in the TrustedCA

keystore view of NWA .

Please ensure you have done all the steps described in these two

urls:

Security Configuration at Message Level

http://help.sap.com/saphelp_nw70/helpdata/en/ea/c91141e109ef6fe10000000a1550b0/frameset.htm

2. The server certificate chain contains expired certificate. Check for

it (that was the cause for other customers as well) and if it's the case

renew it or extend the validation.

3. Some other customers have reported similar problem and mainly the

problem was that the certificate chain was not in correct

order. Basically the server certificate chain should be in order

Own->Intermedite->Root. To explain in detail, if your server certificate

is A which is issued by an intermediate CA B and then B's certificate is

issued by the C which is the root CA (having a self signed certificate).

Then your certificate chain contains 3 elements A->B->C. So you need to

have the right order of certificate in the chain. If the order is B

first followed by A followed by C, then the IAIK library used by PI

cannot verify the server as trusted. Please generate the certificate in

the right order and then import this certificate in the TrustedCA

keystore view and try again.

Also check if the correct kestore was imported for the client.

And the CN = Full name of host or IP address of the server.

Regards,

Caio Cagnani

Show replies
Show replies
Former Member
‎07-22-2010 1:26 PM
0 Kudos

Hi Barry,

The SOAP adapter uses the J2EE Adapter Engine. Adding a root certificate in STRUST won't do much about your problem. Try and import the root certificate to the approriate keystore in the Visual Administrator. No restart is required.

Alternatively, open the SOAP endpoint in your browser and check whether the SSL connection is valid.

Show replies
Show replies
Ask a Question